CSCE 522

Firewalls

Readings

Pfleeger: 7.4

CSCE 522 - Farkas

Traffic Control Firewall

Brick wall placed between apartments to

prevent the spread of fire from one
apartment to the next
Single, narrow checkpoint placed between
two or more networks where security and
audit can be imposed on traffic which
passes through it
CSCE 522 - Farkas

Firewall

Private Network
Firewall

security wall between

private (protected)
network and outside word

External Network
CSCE 522 - Farkas

Firewall Objectives
Keep intruders,
malicious code and
unwanted
traffic or
information out

Private Network

Proprietary data

Keep proprietary
and sensitive
information in

External attacks

External Network
CSCE 522 - Farkas

Without firewalls, nodes:

Are exposed to insecure services

Are exposed to probes and attacks from outside
Can be defenseless against new attacks
Network security totally relies on host security
and all hosts must communicate to achieve high
level of security almost impossible

CSCE 522 - Farkas

Common firewall features

Routing information about the private network

can't be observed from outside
traceroute and ping -o can't see internal hosts
Users wishing to log on to an internal host must
first log onto a firewall machine

CSCE 522 - Farkas

Trade-Off between accessibility

and Security
Service Access Policy

Accessibility

Security

CSCE 522 - Farkas

Firewall Advantages

Protection for vulnerable services

Controlled access to site systems
Concentrated security
Enhanced Privacy
Logging and statistics on network use,
misuse
Policy enforcement
CSCE 522 - Farkas

Protection For Vulnerable

Services

Filtering inherently insecure services =>

fewer risks. For example,

NFS services
SNMP
TFTP
NetBIOS

CSCE 522 - Farkas

10

Controlled Access

A site could prevent outside access to its

hosts except for special cases (e.g., mail
server).
Do not give access to a host that does not
require access
Some hosts can be reached from outside,
some can not.
Some hosts can reach outside, some can not.
CSCE 522 - Farkas

11

Concentrated Security

Firewall less expensive than securing all

hosts

All or most modified software and additional

security software on firewall only (no need to
distribute on many hosts)

Other network security (e.g., Kerberos)

involves modification at each host system.

CSCE 522 - Farkas

12

Enhanced Privacy

Even innocuous information may contain

clues that can be used by attackers

E.g., finger:

information about the last login time, when e-mail

was read, etc.
Infer: how often the system is used, active users,
whether system can be attacked without drawing
attention

CSCE 522 - Farkas

13

Logging and Statistics on

Network Use, Misuse

If all access to and from the Internet passes

through the firewall, the firewall can
theoretically log accesses and provide
statistics about system usage
Alarm can be added to indicate suspicious
activity, probes and attacks double duty as
IDS on smaller networks
CSCE 522 - Farkas

14

Policy enforcement

Means for implementing and enforcing a

network access policy
Access control for users and services
Cant replace a good education/awareness
program, however:

Knowledgeable users could tunnel traffic to

bypass policy enforcement on a firewall

CSCE 522 - Farkas

15

Firewall Disadvantages

Restricted access to desirable services

Large potential for back doors
No protection from insider attacks
No protection against data-driven attacks
Cannot protect against newly discovered
attacks policy/situation dependent
Large learning curve
CSCE 522 - Farkas

16

Restricted Access to Desirable

Services

May block services that users want

E.g., telnet, ftp, X windows, NFS, etc.
Need well-balanced security policy
Similar problems would occur with host access
control
Network topology may not fit the firewall design
E.g., using insecure services across major gateways
Need to investigate other solutions (e.g., Kerberos)

CSCE 522 - Farkas

17

Back Doors

Firewalls DO NOT protect against back

doors into the site

e.g., if unrestricted modem access is still

permitted into a site the attacker could jump
around the firewall
Legacy network topology in large networks

CSCE 522 - Farkas

18

Little Protection from Insider

Attacks

Generally does not provide protection from

insider threats
Sneaker Net - insider may copy data onto
tape or print it and take it out of the facility

CSCE 522 - Farkas

19

Data-Driven Attacks

Viruses:

Executable Content:

users downloading virus-infected personal

computer programs
Java applets
ActiveX Controls
JavaScript, VBScript

End to End Encryption

Tunneling/Encapsulation
CSCE 522 - Farkas

20

Other Issues

Throughput: potential bottleneck (all

connections must pass through firewall)
Single point of failure: concentrates security in
one spot => compromised firewall is disaster
Complexity - feature bloat
Some services do not work well with firewalls
Lack of standard performance measurements
or techniques
CSCE 522 - Farkas

21

Firewall Components

Firewall Administrator
Firewall policy
Packet filters

transparent
does not change traffic, only passes it

Proxies

Active
Intercepts traffic and acts as an intermediary
CSCE 522 - Farkas

22

Firewall Administrator

Knowledge of underpinnings of network

protocols (e.g., TCP/IP, ICMP)
Knowledge of workings of applications that
run over the lower level protocols
Knowledge of interaction between firewall
implementation and traffic
Vendor specific knowledge
CSCE 522 - Farkas

23

Firewall Policy

High-level policy: service access policy

Low-level policy: firewall design policy

Firewall policy should be flexible!

CSCE 522 - Farkas

24

Service Access Policy

Part of the Network Security Policy

Goal: Keep outsiders out
Must be realistic and reflect required
security level
Full security vs. full accessibility

CSCE 522 - Farkas

25

Firewall Design Policy

Refinement of service access policy for specific

firewall configuration
Defines:

How the firewall achieves the service access

policy
Unique to a firewall configuration

Difficult!

CSCE 522 - Farkas

26

Firewall Design Policy

Approaches:

Open system: Permit any service unless

explicitly denied (maximal accessibility)

Closed system: Deny any service unless

explicitly permitted (maximal security)

CSCE 522 - Farkas

27

Simple Packet Filters

Applies a set of rules to each incoming IP packet

to decide whether it should be forwarded or
discarded.
Header information is used for filtering ( e.g,
Protocol number, source and destination IP, source
and destination port numbers, etc.)
Stateless: each IP packet is examined isolated
from what has happened in the past.
Often implemented by a router (screening router).
CSCE 522 - Farkas

28

Simple Packet Filter

Private Network

Placing a simple router (or

similar hardware) between
internal network and
outside
Allow/prohibit packets from
certain services

Packet
Filter

Packet-level
rules

Outside
CSCE 522 - Farkas

29

Simple Packet Filters

Advantages:

Does not change the traffic flow or

characteristics passes it through or doesnt
Simple
Cheap
Flexible: filtering is based on current rules

CSCE 522 - Farkas

30

Simple Packet Filters

Disadvantages:
Direct communication between multiple hosts and internal

network
Unsophisticated (protects against simple attacks)
Calibrating rule set may be tricky
Limited auditing

Single point of failure

CSCE 522 - Farkas

31

Stateful Packet Filters

Called Stateful Inspection or Dynamic Packet Filtering

Checkpoint patented this technology in 1997
Maintains a history of previously seen packets to make
better decisions about current and future packets
Check out:
CheckPoint, Stateful Inspection Technology,
http://www.checkpoint.com/products/downloads/
Stateful_Inspection.pdf

CSCE 522 - Farkas

32

Proxy Firewalls

View

Reality

Private Network

Private Network

Bastion
Host

Proxy Server

Outside

Outside

CSCE 522 - Farkas

33

Proxy Firewalls

Application Gateways

Works at the application layer must

understand and implement application protocol
Called Application-level gateway or proxy
server

Circuit-Level Gateway

Works at the transport layer

E.g., SOCKS
CSCE 522 - Farkas

34

Application Gateways

Interconnects one network to another for a specific

application
Understands and implements application protocol
Good for higher-level restrictions

Client

Application Gateway
CSCE 522 - Farkas

Server
35

Application Gateways

Advantages: by permitting application traffic directly to

internal hosts

Information hiding: names of internal systems are not known to

outside systems
Can limit capabilities within an application
Robust authentication and logging: application traffic can be preauthenticated before reaching host and can be logged
Cost effective: third-party software and hardware for authentication
and logging only on gateway
Less-complex filtering rules for packet filtering routers: need to
check only destination
Most secure
CSCE 522 - Farkas

36

Application Gateways

Disadvantages:

Keeping up with new applications

Need to know all aspects of protocols
May need to modify application
client/protocols

CSCE 522 - Farkas

37

Circuit-Level Gateways

Is basically a generic proxy server for TCP

Works like an application-level gateway,
but at a lower level
SOCKS most widely know circuit-level
gateway

CSCE 522 - Farkas

38

Circuit-Level Gateways

Advantages:

Dont need a separate proxy server for each

application
Provides an option for applications for which
proxy servers dont yet exist
Simpler to implement than application specific
proxy servers
Most Open-Source packages can be easily
extended to use SOCKS
CSCE 522 - Farkas

39

Circuit-Level Gateways

Disadvantages:

No knowledge of higher level protocols cant

scan for active content or disallowed commands
Can only handle TCP connections new
extensions proposed for UDP
Proprietary packages, TCP/IP stacks must be
modified by vendor to use circuit-level
gateways
CSCE 522 - Farkas

40

Home Users

Home routers:
Come with built-in firewall
Generally simple packet filters
Can block all incoming connections on all ports if
desired
Open connections as needed
Examples:
Download files from outside using FTP: allow
incoming connections on Port 21

CSCE 522 - Farkas

41

Windows Firewall
Functionality:
Help block computer viruses and worms from
reaching your computer
Ask for your permission to block or unblock
certain connection requests
Allow to create a record (a security log), if you
want one, that records successful and unsuccessful
attempts to connect to your computer

CSCE 522 - Farkas

42

Windows Firewall
What it does not support:

Detect or disable computer viruses and worms

if they are already on your computer
Stop you from opening e-mail with dangerous
attachments
Block spam or unsolicited e-mail from appearing
in your inbox

CSCE 522 - Farkas

43

Third Party Firewall

Ranging in price between FREE and $50

on average

ZoneAlarm Pro 5
PC-Cillin 2004 Internet Security
Norton Personal Firewall 2005
McAfee Personal Firewall 6.0 2005

CSCE 522 - Farkas

44

Firewall Evaluation

Level of protection on the private network ?

Prevented attacks
Missed attacks
Amount of damage to the network
How well the firewall is protected?
Possibility of compromise
Detection of the compromise
Effect of compromise on the protected network
Ease of use
Efficiency, scalability, redundancy
Expense
CSCE 522 - Farkas

45

ECONOMIC AND LEGAL

ASPECT

CSCE 522 - Farkas

46